Tips for securing Cisco administrative access

In this article I would explain some tips for securing Cisco administrative access.

When creating passwords, keep these rules in mind:

• Make passwords lengthy
• Passwords should combine letters, numbers, and symbols. Passwords should not use dictionary words
• Change passwords as often as possible

Strong passwords are the primary defense against unauthorized access to your router. The best way to manage passwords is to maintain them on an AAA server, but not all people can have/manage a AAA server.

Cisco provides a number of enhanced features that allow you to increase the security of your passwords.

For the basic configuration read this article.

Protecting Line Access

Resctrict the AUX, VTY and console access with a password or with a username/password.

The simplest configuration to protect is:
Enables password checking at login

login

Sets the password

password my_password

Note: Administrators sometimes use auxiliary ports to remotely configure and monitor the router using a dial-up modem connection. If you want to turn off the EXEC process for the aux port, use the no exec command within the auxiliary line configuration mode.

service password-encryption

All Cisco router passwords are, by default, stored in plaintext form within the router configuration (see the running-config or startup-config …). Cisco permits to “hide” these password with a proprietary Cisco algorithm based on a Vigenere cipher. To encrypt system password use:

service password-encryption

For instance, if you set an “enable password ciscozine” without this feature the password in your running-config is in plaintext:

enable password ciscozine

but if you enable service password-encryption command, the password is hidden:

enable password 7 02050D4808091528424B

Remember: When you remove the service password-encryption command with the no form, the command does not decrypt the passwords.
Remember:Vigenere cipher is not a SECURE crypto algorithm; in fact you can find many software to decrypt this type of password. This method is not as safe as MD5, which is used with the enable secret command, but prevents casual discovery of the router line-level passwords.

Use MD5

Use MD5  hash function where it is possible; for instance:

• enable secret command is more secure than enable passwordcommand, because it use MD5 algorithm for hash the passsword.
• username my_user secret my_passwordis more secure than username my_user password my_password, because it use MD5 algorithm for hash the passsword.

Timeout

By default, an administrative interface (TTY, AUX, ….) stays active (and logged on) for ten minutes after the last session activity. A better choise is to limit the time to three minutes.
To adjust this timer to 2 minutes and 30 seconds:

exec-timeout 2 30

Remember: Setting the exec-timeout value to zero means that there will be no timeout and the session will stay active for an unlimited time. Do not set the value to zero.

Protecting against dictionary attack

Cisco has implemented many features to procted router/swtich against dictionary attack; there are many ways to protect:

• security password min-length
  From Cisco IOS Release 12.3(1) and later it is possible to define a minimum password length (default is Six characters). This command affects user passwords, enable passwords and secrets, and line passwords that users create after the command is executed. Existing router passwords remain unaffected.

For instance, if you would set a minimum password length of 8 characters:

security password min-length 8

If you insert a password that not respect the lenght an error message is displayed:

Password too short - must be at least 8 characters. Password not configured.

• security authentication failure rate
  From Cisco IOS Release 12.3(1) and later, it it possible to configure the number of allowable unsuccessful login attempts. The security authentication failure-rate command provides enhanced security access to the router by generating syslog messages after the number of unsuccessful login attempts exceeds the configured threshold rate. This command ensures that there are not any continuous failures to access the router.

After the 15-second delay has passed, the user can continue to attempt to log in to the router.

The following example shows how to configure your router to generate a syslog message after five failed login attempts (a 15-second delay timer starts after the number of login failed is reached):

security authentication failure rate 5 log

• login block for
  Another helpful command to block dictionary attack is the login block forcommand. This command permits to block for ‘x’ seconds after ‘y’ login are tried within ‘z’ seconds. See below to understand how the command works.

The following example shows how block login access for 120 seconds after 5 failed login attempts within 30 seconds:

login block-for 120 attempts 5 within 30

Remember:All login attempts made via Telnet, SSH, and HTTP are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is issued.

• login quiet-mode access-class
  It is possible to define an ACL to permit login attempts when the login access is blocked by the login block-for or by the security authentication failure rate command. It can be useful in emergency situation.

login quiet-mode access-class 101

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

The following logging message is generated after the router switches to quiet-mode:

00:04:07:%SEC_LOGIN-1-QUIET_MODE_ON:Still timeleft for watching failures is 158 seconds,
[user:ciscozine] [Source:192.168.10.10] [localport:23] [Reason:Invalid login], [ACL:22] at 16:17:23
UTC Wed Apr 15 2009

The following logging message is generated after the router switches from quiet mode back to normal mode:

00:09:07:%SEC_LOGIN-5-QUIET_MODE_OFF:Quiet Mode is OFF, because block period timed out at
16:22:23 UTC Wed Apr 15 2009

• login delay
  From Cisco IOS Release 12.3(4)T and later, it is possbile to define the time between successive login attempts. If this command is not enabled, a login delay of one second is automatically enforced after the login block-for command is applied to the router configuration.For instance, if I would define a delay of 10 seconds, use this command:

login delay 10

Logging login requests

It is possible logging failure/success login requests:

• login on-success
  Generates logging messages for successful login attempts. For example:

  00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:Login Success [user:ciscozine] [Source:192.168.10.10]
  [localport:23] at 16:30:40 UTC Wed Apr 15 2009

• login on-failure
  Generates logging messages for failed login attempts. For example:

  00:03:34:%SEC_LOGIN-4-LOGIN_FAILED:Login failed [user:ciscozine] [Source:192.168.10.10]
  [localport:23] [Reason:Invalid login] at 16:32:12 UTC Wed Apr 15 2009

To check login enforcement settings use the “show login” command.

Disable password recovery

Cisco permits to recover password during the reload system. This scenario presents a potential security breach because anyone who gains physical access to the router console port can enter ROMMON, reset the enable secret password, and discover the router configuration.

For this reason, it is possible disable password recovery procedure. To do it use the “hidden” command “no service password-recovery”.

When you configure the router, disabling password recovery feature, you see this message:

ciscozine(config)#no service password-recovery
WARNING:
Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for
password recovery.

Are you sure you want to continue? [yes/no]: yes
ciscozine(config)#

When the no service password-recovery command is configured, you see this message during boot up:

System Bootstrap, Version 11.1(19)AA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Copyright (c) 1998 by Cisco Systems, Inc.
C3600 processor with 65536 Kbytes of main memory
Main memory is configured to 64 bit mode with parity enabled

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x80008000, size: 0x10ce394
Self decompressing the image : #########################################################
########################################################################################
#######################################################################    [OK]

Remember: If a router is configured with the no service password-recovery command, this disables all access to the ROMMON. If there is no valid Cisco IOS software image in the Flash memory of the router, the user is not able to use the ROMMON XMODEM command in order to load a new Flash image. In order to fix the router, you must get a new Cisco IOS software image on a Flash SIMM, or on a PCMCIA card, for example on the 3600 Series Routers.

References:

• http://www.cisco.com/…/sec_login_enhance.html
• http://www.cisco.com/…/configuration_example09186a00801d8113.shtml